Archive for February, 2009

I’m finding there is a huge gulf between playing with Windows Server 2008 in a lab and working with it in a production environment. The biggest difference for me is that I typically use a built-in Administrator account in the lab environment, but work with an account with delegated permissions in production. This means I encounter…er…challenges with User Account Control (UAC) on a fairly regular basis. I have already blogged about some scenarios in which UAC doesn’t error or fail gracefully here, here and here.

Today’s blog entry is all about the following UAC-related Group Policy setting:

Enabled by default, this setting basically forces all users, including Administrators to run as standard users. Any tasks that need to be run as Administrator have to be launched with elevated privilege. It is a setting that is entirely sensible from a security perspective, but can cause frustration and confusion in certain situations. Here’s an example scenario.

Let’s say you are logged into a Windows Sever 2003 (or Vista) machine with an account that is a member of the local Administrators group. By default the Administrators group has Full Control permissions over files and folders on the machine. With the above-mentioned Group Policy enabled, however, you may not be able to, for example, create new text files by right-clicking within Windows Explorer (unless you have rights to do so through either explicit permissions or through membership of other groups). For example, when right clicking in the root of C:\ you are only likely to have the ability to create a new folder by default, as shown below.

No problem, you might think, my account is a member of the local Administrators group so I’ll just fire up Windows Explorer in elevated mode by right-clicking the icon and choosing “Run as Administrator”. Doing this gives all the appearance of running in elevated mode, but in reality does nothing.

So how the heck do you create new text files? Or, for that matter, how do you do all those other things that require elevated privileges that you typically would do from within Windows Explorer in earlier versions of the OS? Well, there may be other methods, but the workaround I found was to open Notepad in elevated mode. Then from within Notepad select File -> Open and this gives you, effectively, an elevated Windows Explorer to work with, as shown below.

Another option would be to open a command window using “Run as Administrator” and create the text file from there. You could then edit and save it using an elevated Notepad session. Again, a rather clumsy workaround for something that you did without thinking in previous versions of the OS.

If nothing else, UAC in Windows Server 2008 and Vista forces you to think outside the box. The old ways in which you used to work with the user interface in earlier versions of the OS may no longer apply. I can be deeply frustrating, but I suspect UAC is here to stay because of the security benefits it delivers. We may as well get used to it.

Okay, okay, I realise that I may be labouring the point somewhat. I’ve already written two blog entries (here and here) about UAC in Windows Server 2008 and this is the third and (probably) last.

When you check DC replication using the repadmin /showreps command from a privileged command window you might see something like this:

SITE1\DC1
DSA Options: IS_GC

Site Options: (none)

DSA object GUID: 0f28ec82-687f-4a16-81fb-bc7dc6b67fa9

DSA invocationID: 498ceb24-0a84-40a9-b8cb-63b1ff9a8ed1

==== INBOUND NEIGHBORS ======================================

DC=MYCO,DC=COM

SITE0\DC2 via RPC

DSA object GUID: 04f70cfc-c73d-4e3c-9c8f-42c3ad146bb2

Last attempt @ 2009-02-04 13:48:49 was successful.

CN=Configuration,DC=MYCO,DC=COM

SITE0\DC2 via RPC

DSA object GUID: 04f70cfc-c73d-4e3c-9c8f-42c3ad146bb2

Last attempt @ 2009-02-04 13:48:49 was successful.

CN=Schema,CN=Configuration,DC=MYCO,DC=COM

SITE0\DC2 via RPC

DSA object GUID: 04f70cfc-c73d-4e3c-9c8f-42c3ad146bb2

Last attempt @ 2009-02-04 13:48:49 was successful.

DC=ForestDnsZones,DC=MYCO,DC=COM

SITE0\DC2 via RPC

DSA object GUID: 04f70cfc-c73d-4e3c-9c8f-42c3ad146bb2

Last attempt @ 2009-02-04 13:48:49 was successful.

DC=DomainDnsZones,DC=MYCO,DC=COM

SITE0\DC2 via RPC

DSA object GUID: 04f70cfc-c73d-4e3c-9c8f-42c3ad146bb2

Last attempt @ 2009-02-04 13:48:49 was successful.

Howerver, when you run the same command from an unprivileged command window, you might see the error shown below.

SITE1\DC1

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: 0f28ec82-687f-4a16-81fb-bc7dc6b67fa9

DSA invocationID: 498ceb24-0a84-40a9-b8cb-63b1ff9a8ed1

==== INBOUND NEIGHBORS ======================================

DC=MYCO,DC=COM

SITE0\DC2 via RPC

DSA object GUID: 04f70cfc-c73d-4e3c-9c8f-42c3ad146bb2

Last attempt @ 2009-02-04 13:48:49 was successful.

CN=Configuration,DC=MYCO,DC=COM

SITE0\DC2 via RPC

DSA object GUID: 04f70cfc-c73d-4e3c-9c8f-42c3ad146bb2

Last attempt @ 2009-02-04 13:48:49 was successful.

CN=Schema,CN=Configuration,DC=MYCO,DC=COM

SITE0\DC2 via RPC

DSA object GUID: 04f70cfc-c73d-4e3c-9c8f-42c3ad146bb2

Last attempt @ 2009-02-04 13:48:49 was successful.

DC=ForestDnsZones,DC=MYCO,DC=COM

SITE0\DC2 via RPC

DSA object GUID: 04f70cfc-c73d-4e3c-9c8f-42c3ad146bb2

Last attempt @ 2009-02-04 13:48:49 was successful.

DC=DomainDnsZones,DC=MYCO,DC=COM

SITE0\DC2 via RPC

DSA object GUID: 04f70cfc-c73d-4e3c-9c8f-42c3ad146bb2

Last attempt @ 2009-02-04 13:48:49 was successful.

DsReplicaGetInfo() failed with status 8453 (0x2105):

Replication access was denied.

DsReplicaGetInfo() failed with status 8453 (0x2105):

Replication access was denied.

Note that the information returned is identical. The only difference is that you see the errors at the end when running in an unprivileged window. I believe the errors relate to a missing “Monitor Replication Topology” extended right at the root of each of the directory naming contexts (partitions).

As with other UAC annoyances, the errors can potentially be confusing. I guess the moral of the story with Windows Server 2008 is to always be aware of when you need to run commands with full privileges. In my case it clearly takes some getting used to.